ISO 27001:2022 Annex A — What Changed and How to Prepare
The 2022 revision of ISO 27001 brought the most significant changes to Annex A since the standard's inception. If you are certified to the 2013 version, you must transition by 31 October 2025. If you are pursuing first-time certification, you should certify against 2022 directly.
What Changed
Structural Reorganisation
The old structure of 14 control categories with 114 controls has been replaced with 4 themes and 93 controls:
- Organisational Controls (A.5) — 37 controls covering policies, roles, asset management, access control, and supplier relationships
- People Controls (A.6) — 8 controls covering screening, employment, awareness, and disciplinary processes
- Physical Controls (A.7) — 14 controls covering physical perimeters, equipment, utilities, and storage media
- Technological Controls (A.8) — 34 controls covering endpoint security, access management, cryptography, development, and monitoring
New Controls
11 entirely new controls were added:
- A.5.7 — Threat intelligence
- A.5.23 — Information security for use of cloud services
- A.5.30 — ICT readiness for business continuity
- A.7.4 — Physical security monitoring
- A.8.9 — Configuration management
- A.8.10 — Information deletion
- A.8.11 — Data masking
- A.8.12 — Data leakage prevention
- A.8.16 — Monitoring activities
- A.8.23 — Web filtering
- A.8.28 — Secure coding
Control Attributes
Each control now carries five attributes for better categorisation:
- Control type — Preventive, Detective, Corrective
- Information security properties — Confidentiality, Integrity, Availability
- Cybersecurity concepts — Identify, Protect, Detect, Respond, Recover
- Operational capabilities — 15 categories from governance to physical security
- Security domains — Governance, Protection, Defence, Resilience
How to Transition
Step 1: Gap Analysis
Compare your current 2013 controls against the 2022 structure. Netallion's ISO 27001 module maps all 93 controls with applicability tracking through the Statement of Applicability editor.
Step 2: Update Your SoA
The Statement of Applicability must be rewritten against the new control structure. For each of the 93 controls, document whether it is applicable, the justification, and the implementation status.
Step 3: Address New Controls
Focus on the 11 new controls. Most organisations already have some coverage through existing practices, but formal documentation is typically missing:
- Threat intelligence — document your threat monitoring sources and processes
- Cloud security — formalise your cloud governance approach
- Secure coding — document your development security practices
Step 4: Update Documentation
Revise your risk treatment plan, internal audit procedures, and management review processes to reference the new control numbering.
How Netallion Helps
Netallion provides the complete 2022 Annex A control set with:
- 40 key controls mapped across all 4 themes
- SoA editor with DOCX export
- Cross-framework mapping to NIST CSF and SOC 2
- Starter kit with policy templates and register structures